This doesn't work if a devices uses Bypass as default instruction, does it?

One doesn't know the IDCODE in advance, thus detecting this pattern it is harder.

shift DR

shifting DR instead of IR might be faster? This is the case when the DR is smaller than IR.
The IDCODE must be 32 bits long, thus the DR register is 32 bits long if the IDCODE is loaded.
The IR length is usually about 36bits?

Better software

retry on timeout

live display for the status of each pin (at least while not scanning)

IO entry field (to disable single pins or assign const values to them)

(n)TRST support is missing (low active and with high active pulldown transistor)

detect hi impedance pins by looking for pins that change their state with pullups (100k) on/off

warn that hi impedance pins might be disconnected from the jtag!

try the Hi + hi impedance pins for TMS, TCK, TDI first and

the Low ones for nTRST first

read IDCODE?

assist the user in creating the relocations file (pullups on for all pins, user shall put cable between gnd and pin 1..30, one pin at a time)

Better hardware

Arduino / Freeduino based hardware?

Enable easy / fast deployment of the jtag finder

USB connected or not (standalone) operation mode

1.8V support( needed for xbox 360 for example)

AVR alone won't do here (except for tiny2313 but it doesn't have that much pins)

thus I'm thinking about a cpld

could use a whole gang of tiny2313's perhaps

The current hardware is just a proof of concept. Let's build something fiddle-free.

I'd like to design a circuit board for this - if you want one as well please add yourself to this list:

Hunz

Obsidian

Let's collect some suggestions for the hardware here as well. My current suggestion is:

USB powered, USB-to-Serial interface (115200 baud)

socket for an ATMega16L or 32L? running at 7.3728 MHz (for the 115200 baud)

DIL or SMD? (TODO: compare the costs)

Obsidian: Wouldn't DIL make it easier for people to build their own boards?

bootloader for firmware updates

floppy connector compatible 2x17 pin header for the cable to the testpins

extraSTK500 compatible pinheaders (maybe unpopulated) without the 330 Ohm resistors for other applications

costs: about 15-20 Euros

PLEASE add your comments/suggestions!

are 30 IOs enough or do you want more?

Certainly sounds enough for me for the first design.

the ATmega16/32 got 1/2kbyte of SRAM - it's enough for the JTAG scanner but maybe you'd like to do some other things with the board as well?

do you want more processing power? again it's enough for the JTAG scanner but one might want to do other things which need more processing power

detection fails if the value is too small - retry with a bigger value if necessary

15 should be ok for most devices

Output

4/3/2: TDO=6:11/20 means:

for TCK pin 4,

TMS pin 3,

TDI pin 2,

pin 6 ist a TDO suspect - the pattern was shifted in 20 times in at pin 2 (TDI) and found 11 times at pin 6

more advanced: output while scanning a blackberry 7290

scroll upwards and use the gallery

If it doesn't work

have you tried a higher number of shifts?

have you tried increasing the delay?

have you run the scan a 2nd and a 3rd time?

nTRST might be pulled low - the current software doesn't yet support this

enhance the software ;) (ask me if you need help - scroll down for contact)

JTAG might be disabled

by removing some 0-Ohm resistors on the circuit board (look for a connection to the testpins at missing resistors)

by adding additional resistors to set pins to a constant value

if you can't pullup/down a pin with 330 Ohm it's either Vcc/GND or disabled using this method

look for a connected resistor and try removing it

by a burned fuse directly in the chip

bad luck for mortals like us ;-(

by software

maybe keeping the cpu in reset state might help?

Comment from user of many JTAG tools

I think this tool can be quite dangerous when used on some JTAG ports, if you look at [1], for example MPC BDM port (also usable as a JTAG connection) is bad one. If the port has only TCK/TDO/TMS/TDI/nTRST/nSRST pins, then nothing wrong *should* happen, but if there are other signals, be very careful.

Also if you just try random IR/DR scans on a JTAG-enabled chip you may destroy it. For example some CPLDs have special IR command that erases internal flash memory, but this command requires clocking and some termination. When run improperly it can destroy the flash.